IBM Support

WinCollect: Monitoring agents with status server events

Question & Answer


Question

As an administrator, are there methods to monitor for WinCollect agent status for potential issues?

Answer

The Status Server field in WinCollect is used to forward agent status events in Syslog format to QRadar. The status events provide useful information to administrators, such as:
 
  • Service Stopped
  • Service Started
  • Heartbeat (active communication)
  • Optional. Statistics (sources, disk space, sources)
When you install WinCollect on any Windows host, administrators can choose to forward logs to QRadar SIEM, there is a log source that is created for the WinCollect agent itself to share the health-related information of the WinCollect agent. Status server events can assist administrators with monitoring WinCollect agents that might be experiencing issues in a QRadar deployment and providing events that can be monitored. For example, you can use status server events to track whether an agent encounters a service issue or stops sending events.
How to enable status server events for your WinCollect 10 agent
Administrators who did not configure the status server during the WinCollect 10 installation can manually enable it by performing the following steps:
  1. Connect to Windows host.
  2. Launch the WinCollect 10 agent.
  3. In the navigation menu, click Agent Settings
    settings
  4. Type the IP address. Make sure the 'Enabled' checkbox is selected.
    agentconfig
  5. Optional. If TCP is selected as the protocol, click the Test Connection button.
    image-20230630134504-1
    Note: The UDP protocol cannot use the test function.
  6. Click Save.
  7. When prompted, view your pending changes.
    image-20230630140733-1

    Tip: If there are pending changes for an agent, they are displayed as a list. The bell icon in the WinCollect 10 agent interface indicates that there are pending changes for the agent to be applied.
    image-20230630134932-3
  8. Click Apply Changes.
    image-20230630135219-4

    Results
    The status server starts sending agent events. If you restart your WinCollect agent, you get Service Stopped, followed by a Service Started event. These messages indicate that a user clicked "Restart WinCollect" in the agent user interface or manually restarted the WinCollect.exe service in Windows. result


    Tip: For a Dashboard on how to view both agent versions and Windows OS information, see the IBM QRadar Security Analytics Self Monitoring content pack. This content pack includes custom properties that can help users identify their agent versions through Syslog events.
    Screenshot large

    [{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

    Document Information

    Modified date:
    30 June 2023

    UID

    ibm16999233